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Abstract. The paper addresses the problem of computing maximal ex- 
pected time to termination of probabilistic timed automata (PTA) mod- 
els, under the condition that the system will, eventually, terminate. This 
problem can exhibit high computational complexity, in particular when 
the automaton under analysis contains cycles that may be repeated very 
often (due to very high probabilities, e.g. p = 0.999). Such cycles can 
degrade the performance of typical model checking algorithms, as the 
likelihood of repeating the cycle converges to zero arbitrarily slowly. We 
introduce an acceleration technique that can be applied to improve the 
execution of such cycles by collapsing their iterations. The acceleration 
process of a cyclic PTA consists of several formal steps necessary to 
handle the cumulative timing and probability information that result 
from successive executions of a cycle. The advantages of acceleration are 
twofold. First, it helps to reduce the computational complexity of the 
problem without adversely affecting the outcome of the analysis. Second, 
it can bring the “worst case execution time” problem of PTAs within the 
bounds of feasibility for model checking techniques. To our knowledge, 
this is the first work that addresses the problem of accelerating execution 
of cycles that exhibit both timing and probabilistic behavior. 


1 Introduction 


In this paper, we consider the problem of computing the “expected worst case 
execution time”, or “maximum expected termination time”, for probabilistic 
timed automata (PTA). Given a probabilistic timed automaton P, with a start 
location ls and a final location lp, this problem aims to compute an upper bound 
on the time needed to reach the final location ly from the start location ls. The 
problem is easy to solve in the case of acyclic PTA, but successive executions 
of a cycle in a PTA model might yield a time series whose total summation can 
potentially be unbounded. The problem is interesting as cycles are common in 
the behavior of probabilistic systems. It is important since, in modelling real, 
cyber-physical systems, we often want to know not just “how quickly” but “how 
slowly” a particular system might execute. In general, “worst case execution 
time” (WCET) analysis is undecidable: it is undecidable to determine whether 
or not an execution of a system will eventually halt. However, for PTA models 
one can often use model checking to analyse the system and compute the WCET. 


The WCET problem for the case of non-probabilistic timed systems with 
cyclic behavior has been addressed in [2], where a model checking algorithm 
based on the zone-abstraction technique was used allowing on-the-fly compu- 
tation of WCET for timed automata models and detection of the cases where 
WCET may be unbounded. For probabilistic timed systems, for example, the 
problem becomes much harder, as any solution needs to handle both timed 
transitions and probability distributions simultaneously. 

We present an efficient approach at computing the WCET of cyclic PTAs 
which attempts to avoid the explicit repeated exploration of cycles encountered 
during model checking (explicit-state exploration with clock zones computed 
to represent the possible sets of values for a set of real-time clocks). This can 
be performed by detecting the cycles, analyzing the periodic behavior of the 
cycles, collapsing the cycle by computing the cummulative effect (in terms of 
contribution to WCET) of the cycle, and then eliminating the cycle from the 
subsequent search. A key feature of the proposed WCET algorithm is that it can 
detect on-the-fly cycles in the input model and determine whether the detected 
cycle is a cycle with constant delays or a cycle with periodic delay by examining 
only the characteristics of the reached fixed-points. 

The proposed algorithm is based, roughly, on extending the standard for- 
ward exploration of the state space augmented with the acceleration of cycles 
encountered during the search, with some heuristics to optimize the computa- 
tions. The primary case where the cycle collapsing presented in the algorithm 
would have benefit is in systems where a cycle is taken with a high probability 
potentially leading to numerous iterations before reaching some point of escape. 
The proposed acceleration technique is an interesting addition to the collection 
of techniques for PTA analysis, where existing algorithms for PTAs are 
not optimized to check WCET. 


Related Work. The work in studied the problem of computing expected 
costs or rewards in PTAs using digital clocks, where they prove the equivalence of 
the continuous and integer-time semantics w.r.t. expected rewards. The approach 
is limited to finite-state models, and it is not clear how it performs in presence of 
cycles that can be repeated with high probability. The authors have not proposed 
any acceleration technique to speed-up the verification of WCET of cyclic PTAs. 

The work in [9] proposed a solution to the problem of computing optimal 
expected reachability time in PTAs, relying on an interpretation of the PTA as 
an uncountable-state Markov decision process and employing a representation 
in terms of an extension of the ‘simple’ and ‘nice’ functions of [4]. The optimal 
prices are computed via a Bellman equation using value iteration. However, the 
authors did not provide any details about the the complexity and efficiency of 
their algorithm. It is also not clear how the algorithm behaves in presence of 
complex cycles which can be repeated with high frequency. Furthermore, the 
algorithm in [9] does not employ any form of acceleration technique to reduce 
the computational complexity of the problem. 

In [2], the authors proposed a model checking algorithm based on the zone 
abstraction for the problem of computing maximum termination time of non- 


probabilistic timed automata (TA). However, for probabilistic timed systems the 
problem may be much harder, as the solution needs to handle both timed tran- 
sitions and probability distributions. Moreover, the abstractions, optimisations, 
and accelerations developed for the verification of WCET of TAs [2] cannot be 
used to verify expected WCET of PTAs, as cycles in PTAs exhibit both timing 
and probabilistic behavior. 


2 Preliminaries 


In this section, for the sake of completeness, we recall the definitions of proba- 
bilistic and timed probabilistic systems needed to give semantics to probabilistic 
timed automata. We also recall definitions of zone abstraction and the difference 
bound matrix data structure that is used to symbolically represent the state 
space of probabilistic timed systems. 


2.1 Timed Probabilistic Systems 


A (discrete probability) distribution over a finite set Q is a function u : Q — [0,1] 
such that EO u(q) = 1. For an uncountable set Q , let Dist(Q ) be the set of 


distributions over finite subsets of Q’. 


Definition 1. (Probabilistic systems). A probabilistic system PS, is a tuple 
(S, Steps, L) where S is a set of states, Steps C S x Dist(S) is probabilistic 
transition relation, and L : S — 24? is a labelling function assigning atomic 
propositions to states. 


A probabilistic transition s = s’ is made from a state s by nondeterministically 
selecting a distribution u € Dist(S) such that (s, u) € Steps, and then making 
a probabilistic choice of target state s’ according to u, such that p(s’) > 0. 


We now consider the definition of timed probabilistic systems. 


Definition 2. (Timed Probabilistic systems). A timed probabilistic system, 
TPS, is a tuple (S, Steps, L) where: S and L are as in Definition] and Steps C 
SxRxDist(S) is a timed probabilistic transition relation, such that, if (s,t, u) € 
Steps and t > 0, then u is a distribution. The component, t, of a tuple (s,t, u) 
is called a duration. 


2.2 PTA Models and Expected WCET Problem 


A probabilistic timed automaton (PTA) models real-time behaviour in 
the same fashion as a classical timed automaton [4], namely by using clocks. 
Clocks are real-valued variables which increase at the same rate as time. Let X 
be the set of clock variables ina PTA P. We write C(¥) to denote the set of clock 
constraints over 1, i.e., the set of boolean combinations of atomic constraints 
of the form z ~ c, where ~E {<,<,>,>} and c € N. We note by Cz.(4) the 
restriction of C(4’) to positive boolean combinations only containing constraints 
of the form z < cor x <c. 


Definition 3. (PTA syntax). A probabilistic timed automaton (PTA) is de- 
fined by a tuple P = (L, lo, Ly, X, Act, inv, E, £L) where 


— Lis a finite set of locations and lo E L is an initial location; 

— Lp CL is a finite set of final (halting) locations; 

— X is a finite set of clocks; 

— Act is a finite set of actions; 

— inv: L > C<.(&) is an invariant condition; 

— EC Lx Act x C(X) x Dist(2* x L) x L is a finite set of probabilistic edges; 

— L: L> 24? is a labelling function mapping each location to a set of atomic 
propositions. 


Definition 4. (PTA Semantics). Let P = (L, lo, Lf, X, Act,inv, E, L) be a 
PTA. The semantic of P is defined as the (infinite-state) timed probabilistic 
system TPSp = (S, Step, L) where S C Lx R* such that (€,v) € S if, and only 
if, v | inv(2) and (£,v),t, u E€ Steps if and only if the following conditions hold 


— Time transitions: t > 0, w= w(é,0+t) and v +t inv(£) for 0 < Pee 
— Discrete transitions: t = 0 and there exists (¢,a,g,d,£) E€ E such that v = g 
and for any (€,v) E€ S: ull ,v) =P xcxw =ox:=0 UX, ) 


A state of a PTA is a pair (€,v) € L x Ry such that v }= inv(£). In any state 
(é,v), either a certain amount of time t E€ Rso elapses, or an action a € Act is 
performed. If time elapses, then the choice of t requires that the invariant inv(é) 


remains continuously satisfied while time passes. We write (£, v) tar (Kv) 
if from state (£,v + t) and assuming probabilistic edge e is selected, the next 
state is (l, v ) with probability p. Throughout this paper, we use the following 
notations: weight(e) to refer to the probability weight of an edge e, src(e) to 
refer to the source control location of edge e, and out(src(e)) to refer to the set 
of outgoing edges of the location src(e). For example, if e = (¢,a, 9g, d, L’) then 
src(e) = l and weight(e) = d(X, l) = p, where p € (0, 1] and X C Æ. However, 
in this paper, we make the following assumptions on the PTAs we consider. 


Assumption 1 For any PTA P we have: 


1. all states in P behave purely probabilistic (i.e. there is no non-determinism 
between edges of P); 

every probabilistic edge in P is associated with a weight from (0, 1]; 

P is a flat automaton, where each location in P is part of at most one cycle; 
P is structurally non-zeno; 

P is well-formed (i.e. all transitions in P lead to valid states); 

all invariants of P are bounded; 

halting states of P are time-lock states; 

all invariants and enabling conditions of P are convex; 


SRA TE LO 


It is interesting to note that in PTAs, edges do not result in the reset of a 
fixed set of clocks leading to a fixed location, but rather yield a distribution 


d € Dist(2* x L) over resets and locations. Hence, a run of a PTA can be 
split into several parallel subruns whenever the nodes of PTA have probabilistic 
choices. It thus may seem natural to define a run of PTA as a tree (i.e. set 
of branches) whose nodes are labeled by configurations of the automaton. To 
simplify definition of WCET of PTAs, we will consider symbolic runs, that is, a 
special sets of runs in PTAs in which the time delay the automaton can spend 
at a control location £; is represented by an interval T; of the form [77""™, T™**]. 
We can then define WCET as follows. 


Definition 5. (WCET of PTAs). Let P be a single-run PTA with a sym- 
bolic run r. Suppose that r can be split into ro, ...,Tp-1 symbolic subruns, where 
To,€0,Po, ty Tierp, E Trnini Pai, ep. Then 


each subrun ri has the form lo 
maximum delay of r; can be computed as follows 


n-l a 
Masdetay(r:) = S(T] (po) + 72. 
a=0 b=0 
Hence, WCET of P can be computed as follows 
k—1 
WCET(P) = 5 Mazxdelay(ri). 
i=0 


Definition 6. (Termination of PTAs). We say that a PTA P with single- 
run r terminates if every subrun of r reaches a halting state. 


Example 1. To demonstrate how one ae 
can compute WCET of PTAs, let us © x<=5 
consider the PTA given in Fig. [I Note 
that the given PTA consists of a single 
run which can be split into two sub- 
runs rı and rə, where rı visits loca- 
tions start, 11 and end while subrun 
r2 visits locations start, 12 and end. 
The location end represents the halt- 
ing location of the automaton. Let us 
denote the edge from start to 11 by 
eo and the edge from start to 12 by e1. Then weight(eo) = 0.4 and weight(e1) = 
0.6, while the other edges have probability weight of one. The WCET of this au- 
tomaton can be obtained by taking the sum of the delays of the two subruns, 
while maximizing the time delay the automaton can spend at each visited lo- 
cation. That is, Mazdelay(rı) = 5 * 0.4 + 0.4 x 10 = 6 and Mazdelay(r2) = 
5*0.6+0.6*« 10 = 9. Hence, WCET(P1) = Magzdelay(rı) + Maxdelay(r2) = 15. 
Our goal here is to develop an efficient solution for WCET of cyclic PTAs 
by accelerating the execution of cycles that can be taken with high probability. 
Such classes of cycles can degrade the performance of model checking algorithms, 
since the probability to repeat the cycle converges to zero arbitrarily slowly. 
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x<=5 


x<=10 


x<=10 


Fig. 1. Pı: A PTA with two subruns 


0.001 


Example 2. The automaton in Fig. 
contains a cycle that can be repeated 
with very high probability, where the 
likelihood to repeat the cycle gradu- 
ally decreases. The first time we reach x<=4 

the choice point in Fig. P| the prob- 

ability of cycling is 0.999 while the Fig.2. P2: A cyclic PTA which can be 
probability of moving to the ‘End’ taken with high probability 

state is 0.001. If we take the cycle then the next time we reach the choice point 
we will effectively have a lower probability of again taking the cycle ‘choice’. 
Effectively, the probability here is 0.999 x 0.999. And so on. In this way, the 
likelihood of staying within the cycle monotonically decreases and eventually 
reaches zero (or close enough to be considered as zero). 


2.3 The Zone Abstraction and Difference Bound Matrices 


The state space of dense-time models can, in general, be infinite (uncountable) 
and therefore can not be directly model checked. However, researchers in real- 
time model checking devised an efficient representation of the state space of a 
TA based on zone-graphs |8[12]. In a zone graph, zones denote symbolic states. 
In practice, this provides a more compact representation of the state-space of a 
given TA model. 

A zone is a pair (l, y), where l is a location of a PTA P and is a clock zone. 
The clock zone succ(y, e) will denote the set of clock valuations v such that for 
some v € y the state (I',v') can be reached from the state (l, v) by letting time 
elapse and by executing the transition e. The pair (l, succ(y, e)) will represent 
the set of successors of (l, p) under the transition e. Note that the assignment 
of the values of the clocks in the initial location of P is easily expressed as a 
clock zone since v(x) = 0 for every clock x € X. Note also that every constraint 
used in the invariant of an automaton location or in the guard of a transition 
is a clock zone. Therefore, clock zones can be used for various state reachability 
analysis algorithms for (probabilistic) timed automata. 

Difference bound matrices (DBMs) [7| are the data structures most commonly 
used for representing the state spaces of (probabilistic) timed automata. A DBM 
is a two-dimensional matrix that records the difference between upper bounds of 
clock pairs up to a certain constant. Recall that a clock constraint over the set of 
clocks X is a conjunction of atomic constraints of the form xz ~ m and x—-y~r~n 
where z,y E€ X, ~E {<,<,=,>,>}, and m,n are integers. In order to provide 
a unified form for clock constraints in a DBM we introduce a reference clock 
xo E€ X with the constant value 0 that is not used in any guards or invariants. 
The matrix is indexed by the clocks in X together with the special clock zo. The 
element D; ; in matrix D is of the form (n, <) where z;,2; € X, n represents 
the difference between them, and <€ {<, <}. Each row in the matrix represents 
the bound difference between the value of the clock x; and all the other clocks 
in the zone, thus a zone can be represented by at most |X|? atomic constraints. 


This implies that each pair of variables (x;, £j) (i # j) will be represented by 
two atomic constraints (d; j, <) and (dj, <). 


3 Accelerating Execution of Probabilistic Timed Cycles 


In this section we discuss some acceleration techniques that can be used to 
improve the execution of cycles that may be repeated a high number of times. 
Let us denote the series of maximal expected delays that results from successive 
executions of a cycle m ina PTA P by S, and n be a cycle counter. We then use 
the notations S+ = 0 to denote that the probability of taking the cycle moves 
to zero, and S,; “> ¢, where ¢ < co, to denote that the series converges almost 
surely. However, for any reachable cycle m in the PTAs we consider, the series 
Sr converges to zero probability (i.e. the cycle will not be taken forever) and 
converges with probability one, as discussed in Theorem [I] (Note that, as the 
effective probability of remaining in a cycle reduces every time we take the cycle, 
we often view the probability at the branch point as reducing in this way.) 


Theorem 1. Let x be a cycle in a PTA model that satisfies Assumption[| Then 
(1) Sp & 0 as n > 00 and (2) Sr “+ ¢ as n => 00, where ¢ < co. 


Stat xen 0.999 End Start c- 


x<=1 


0.9, 0.99] 


Fig. 3. S» converges sufficiently fast Fig. 4. Sr converges arbitrary slow 


Note that the series S; may converge to zero probability sufficiently fast or 
arbitrary slow depending on the probability weights of the edges of the cycle. 
Suppose that we use an approximation bound A = 107° to represent “close 
enough to zero” in probability when executing cycles in PTAs. So that once the 
probability that results from successive executions of a cycle becomes smaller 
than the bound A, the cycle will no longer be repeated. It is easy to see then 
that the cycle in Fig. B] will be repeated only four iterations (as it becomes “close 
enough to zero” quite quickly) where the series S» = (10~7+10~4+10-° +1078), 
while the cycle in Fig. [4] will be repeated around 13808 iterations where the series 
S, = (0.999+0.998001 + 0.997002+ 0.996005+ ...+9 x 1078). We now discuss two 
forms of cycles that may be encountered when analyzing a cyclic PTA model: 
cycles with constant delays and cycles with periodic delays. 


Definition 7. (Cycles with constant delays). Let n be a cycle in a PTA 
model P and delay(r,i) be a function that computes the summation of delays 


ofm at some arbitrary iteration i > 1. We say that m is a cycle with constant 
delays if for any two distinct iterations i,j we have delay(m,i) = delay(r, 7). 


Definition 8. (Cycles with periodic delays). Let x be a cycle in a PTA 
model P. We say that n is a cycle with periodic delays if the delays of m are 
repeated every k iterations, where k > 1. That is, delay(7,i) = delay(z,i+k). 


We now describe the basic formal steps that can be followed to accelerate the 
execution of a cycle 7 in a PTA model P. 


1. Synthesize a delay formula, ¢,, for the detected cycle m that can be used to 
compute the cumulative delay introduced by successive executions of 7. A 
delay formula for 7 can be synthesized once a fixed-point of m is reached. 

2. Find the value of the loop counter n at which the probability to repeat the 

cycle converges to zero. Recall that for PTAs we consider the probability to 

repeat cycles decreases monotonically as the iteration number increases. 

Compute the total expected delay of the cycle 7 using ¢,. 

Compute the clock zone that results from collapsing the cycle’s iterations. 

5. Update the probability weights of the automaton edges that have been af- 
fected by the acceleration process. 

6. Restart the corresponding constructed Markov chain of P. 


oe 


We first discuss how one can synthesize a formula for computing expected delay 
of cycles with constant delays and cycles with periodic delays. 


Definition 9. (Synthesizing formulae for cycles with constant delays). 
Let P = (L, lo, Ly, X, Act,inv, E, L) be a PTA and (€0,...,em—1) E€ Er be the 
sequence of edges of a reachable cycle 7 in P whose delay intervals between 
iterations are constant. Let T), ..., Tma] be the maximum delay bounds that 
can elapse at the cycle’s locations src(eo), ...,8rc(€m—1). The cumulative delays 
that result from successive executions of 7 can be computed as follows 


n m-1 b—1 
=) Nis qT weight(ee))* * (] | weight(ea)) * 7" 
a=0 b=0 d=0 


where Z represents the initial probability value at which the cycle 7 has been 
reached during the analysis. The first summation operator in the formula is used 
to iterate through the cycle until the probability to repeat the cycle effectively 
converges to zero, while the second summation operator is used to iterate through 
the control locations of the cycle at each iteration. Since the control locations 
of the cycle can be reached with different probability values at each different 
iteration, the expected delays that result from visiting these locations can vary 
between iterations. However, the formula in Definition D]can be simplified further 


as o = M weight(e-) is constant. This yields the following formula 


n m-l 


=X X Ixo’ * ( P veiga) yelp 


a=0 b=0 


It remains to discuss how to compute the value of n (i.e. the number of times 
the cycle can be repeated). To find the value of n we need to solve the simple 


exponential formula o” = —. However, by taking the natural logarithmic of 
both sides, then n can be computed as follows 


In(A) 


ead) 


n=( 


Definition 10. (Synthesizing formulae for cycles with periodic delays). 
Let P = (L, lo, Lf, X, Act, inv, E, L) be a PTA and (eo, ...,€m—-1) € Er be the 
sequence of edges of a reachable cycle mn in P. Suppose that m is a cycle with 
periodic delays so that the delays are repeated every k iterations. The cumulative 
delays that result from successive executions of m can be computed as follows 


n k m-1 m—1 b-1 
g = 7 N Te ( Il weight(eq)) « ([[ weight(ee)) * Tc) c) 
a=0,a+k b=1 c=0 d=0 e=0 


where k represents the rate (i.e. number of iterations) at which delays of m are 
repeated, and TẸ% is the maximum delay that P can spend at location src(€c) 
at iteration b where b € {1,..k} and c € {0,..,m — 1}. However, since the cycle 
contains periodic delays then every k iterations the counter b needs to be reset. 
Similar to cycles with constant delays, the given formula can be simplified to 


n k-1m-1 b-1 
on = 5 y 5 Txo”x( qI weight(ea)) * Ti- 
a=0,a+k b=0 c=0 d=0 


The next step in the process is to compute the accelerated clock zone that results 
from collapsing iterations of the cycle. Recall that zones provide a representation 
of sets of clock interpretations as constraints on (lower and upper) bounds on 
individual clocks and clock differences. Let k be the iteration number at which 
the delay of the cycle becomes constant and n be the value of the cycle counter 
at which the probability to repeat the cycle effectively converges to zero. We can 
compute the clock zone that results from accelerating such a cycle as follows. 


— Updating lower/upper bounds of the automaton clocks. Updating the automa- 
ton clocks during acceleration is an easy task as the delays of the cycle are 
constant between iterations. Hence, the lower and upper bound of a clock z 
can be updated as follows. 


Doz = (Doz + (n — k) * (Dbz — Doz )) 


zo = (Dio + (n — k) * (Dig — Dz’) 


— Updating diagonal constraints of the automaton clocks. Updating this set of 
constraints is also a straightforward task. Let z1 and z2 be two clocks in 


the automaton being accelerated. Then the diagonal constraints involving 
zı and z can be updated as follows. 


D2 = Dy as T (D5 o z D} an) * (n j k) 
Diz = Ds, mi (DE o _ Di) * (n = k) 


We now turn to discuss how to compute the accelerated clock zone that results 
from collapsing the iterations of cycles with periodic delays. For this class of 
cycles, the lower and upper bounds of the automaton clocks can be updated as 
follows, where the variable k used in the formulae to represent the rate (number 
of iterations) at which delays are repeated. 


(n%k) 
Do. = (DE, — Die) * [n/k]) gg 5 (Do, E Diz) 
i=l 
(n%k) 
D?y = ((D}o — D? o) * In/k]) + XO (Dig - Diy) 
i=l 


The diagonal constraints of the automaton clocks can be updated as follows. 


(n%k) 
Dorz = (Or z a De) * [n/k]) F 5 (Dii za a DEL) 


i=l 


(n%k) 
DL = (Cnn Deets > Opa Dee) 

i=1 
The next important step of the acceleration process is to update the probability 
weights of the edges of the automaton that have been affected by the acceleration. 
Note that, after acceleration, the probability weights of some edges of the cycle 
will have decreased (e.g. will be set to zero) and hence the probability weights 
of some other edges of the automaton need to be updated (increased) in order 
to maintain the overall probability distribution at states. This step can also be 
performed according to the update rules given in Definition 


Definition 11. (Probability update rules after acceleration). Let P = 
(L, lo, Ly, X, Act, inv, E, L) be a PTA and (€0, €1, ...,€m—1) E Ex be the sequence 
of edges of a reachable cycle n in P. Then after accelerating the execution of m 
the probability weights of some edges in P will be updated as follows 


1. Let Eout be the set of edges in the set out(src(e;)) \ ei, where e; € Er. Then 
for each edge ej E€ Eout, such that O < weight(e;) < 1, update the probability 
weight of e; as follows 


weight(e;) x weight(e;) 


weight(e;) = weight(e;) + S weight(ex) 
ekEEout 


where weight(e;) represents the probability weight of the edge e; in the prior 
distribution (before acceleration) and weight(e;) represents the probability 
weight of the edge e; in the new distribution (after acceleration). 

2. For each edge e; € Ex whose weight(e;) < 1 set weight(e;) to zero. 


The last step of the process involves restarting the Markov chain of the model 
P by setting the initial probability of the system to one. The new initial state 
of the model will be chosen according to available probabilistic choices. 


3.1 Effectiveness of Acceleration 


The effectiveness of the proposed acceleration (the possible reduction on the size 
of the generated zone graph) depends on four factors: (a) the value of ø (the 
rate at which the probability to repeat the cycle is decreasing), (b) the length 
of the cycle being accelerated, (c) the approximation bound A used to represent 
“convergence to zero”, and (d) the size of the states of the model (the number 
of the clocks in the model as this can affect the size of the generated DBMs). 


Theorem 2. (Effectiveness of acceleration). Let P be a PTA that satisfies 
Assumption[] and m be a reachable cycle in P. Then the proposed acceleration can 
reduce the size of the generated zone graph of P by ((n—k) x length(z)) states, 
where n represents the number of times the cycle can be repeated, k represents 
the iteration number at which a fixed-point of x can be reached, and length(r) 
represents the number of transitions of r. 


Let us denote the zone graph that results from model checking the non-accelerated 
cyclic PTA automaton P in which all system states are explored by Z(P), and 
the graph that results from model checking the accelerated version of P where 
cycles iterations are collapsed by Z(P*). Suppose that branches or subruns of P 
contain m-cycles {71,..., 7m}. Then the reduction gained (RG) from accelerating 
the executions of cycles in P can be measured as follows 


RG = (|Z(P)| — |Z(P*|) = $ (ni — ki) x length(m)). 


i=1 


The reader can easily construct an example where the series S, (the series that 
results from successive executions of 7) converges almost surely while the series 
converges to zero probability arbitrarily slowly. 


4 A Zone-based Algorithm for WCET of Cyclic PTAs 


In this section, we describe a zone-based algorithm that can be used to compute 
the expected WCET of cyclic PTAs. Each node in the computed zone graph 
of the given PTA model has the form (4, Z, a, sts,cnt) where the variable sts 
(which is assigned to each state) is used to detect whether there exists a cycle 
on locations in the behavior of the automaton. The variable sts can take values 


from the set {0, 1,2}. When it is 0 it means that the location has not been visited 
before, when it is 1 it means the location has been visited before but not fully 
explored, and when it is 2 it means that everything reachable from that location 
has been explored. We assume that the reader is familiar with the classical DFS 
algorithm with the labeling process of nodes to unvisited (0), being explored (1), 
and finished (2) and hence we omit these details. The variable a maintains the 
probability value at which the state has been reached. The variable cnt is used to 
keep track of the iteration number of a detected cycle, where cnt is incremented 
every time a full iteration of the cycle is completed and reset once the cycle is 
skipped. By examining the value of the variable cnt when a fixed-point of a cycle 
is reached, we can then distinguish between different forms of cycles. 


Definition 12. (Detecting cycles with constant/periodic delays.) Let m 
be a reachable cycle in a PTA model P. Suppose that during the analysis of 7 
the two states s and s’ have been reached where (s.€ = s'.£ A (s.Z \ inact = 
s'.Z \ inact)) (i.e. a fixed-point has been reached w.r.t. the active clocks of the 
cycle). Suppose further that s.cnt < s’.cnt so that the state s' has been reached 
in an iteration that is greater than state s. We can then determine the class of 
the cycle n by examining the characteristics of the reached fixed-point as follows 


1. We say that m is a cycle with constant delays or a cycle whose delays become 
constant after some iterations if the following condition holds 


(s.€ = s £A(s.Z \ inact = s'.Z \ inact) A (s'.cnt < 3 V (s'ent — s.cnt) = 1)) 
2. We say that m is a cycle with periodic delays if the following condition holds 
(sL = s LA (s.Z \ inact = s'.Z \ inact) A s'ent > 3 A (s’.cnt — s.cnt) > 1) 


It is interesting to note that the set of clock zones that result from the first 
iteration of a cycle can be arbitrary zones as the initial zone at which the cycle 
is reached has not been obtained from the cycle’s internal computations. Hence, 
if a fixed-point of a cycle is reached within the first three iterations, or within 
any two consecutive iterations of the cycle, then we know that the cycle must 
have constant delays. Otherwise, the cycle will have periodic delays. Note that 
the tests described in Definition [2] can detect all forms of cycles with constant 
or periodic delays, regardless of their underlying syntactic structures. 
Algorithm [I] uses an extra clock CLK to keep track of time delays that can 
elapse at each state of the model. The algorithm uses a number of operations to 
handle cycles in the input PTA. The operation ComputeLocationsofCycle() is 
used to compute the set of control locations of the detected cycle in the form 
(lo, ..-,€m—1). This is necessary in order to compute the set of final states when 
accelerating the execution of the cycle. The operation SynthDelayFormula() 
is used to synthesize a delay formula for the detected cycle once a fixed point 
is reached. Two acceleration procedures are used, namely AccelConstCycle() 
which is used to accelerate cycles with constant delays, and Accel PeriodCycle() 
which is used to accelerate cycles with periodic delays. Each of these acceleration 


: Input: (P) 
: Output: double WCET := 0 
: double a := 1, prob := 1, A := 107° 
: int sts := 0, cnt := 0 
: clock CLK 
: WAIT := {(lo, Zo, a, sts, ent)}, PASSED := @ 
: while WAIT 4 @ do 
select s from WAIT 
add s to PASSED 
for each e € out(s.£) do 
prob := (s.a x weight(e)) 
s’ := succ(s.Z, e) 
ifs’) L=s LAs sts=1As'.Z=s .Z for any s € PASSED then 
Lr := ComputeLocationso f Cycle() 
ox := SynthDelayFormula(Lx) 
if s'ent <3 V ((s'.cnt — s” .cnt) = 1) then 
for each £ € L, such that out(£) > 1 do 
add (£, AccelConstCycle(L,)) to WAIT 
end for 
else if s'ent > 3 A ((s'.cnt — s” .cnt) > 1) then 
for each £ € L, such that out(£) > 1 do 
add (£, Accel PeriodCycle(Lx)) to WAIT 
end for 
end if 
s’.cnt := 0 
else if s'l =s" LAs" .sts =1A3'.Ż £8 .ZAprob>A 
for any s” € PASSED then 
WCET := WCET + prob * (|s".Z(cLK,0) — 8-Z(cLK,0)|) 
s'.cnt ++ 
add s’ to WAIT 
else if s'l =s” LAs sts=1As' Zs ZApro<A 
for any s” € PASSED then 
s'ent := 0 
prob := 1 
else 
WCET := WCET + prob * (|s'.Z(cLK,0) — $-Z(cLK,0)|) 
add s’ to WAIT 
end if 
37: end for 
38: end while 
39: return WCET 


Algorithm 1: An algorithm for computing WCET of deterministic PTAs 


procedures consists of a number of operations as described in Section [3] Note 
that in some cases, however, Algorithm[I]may compute more than one final state 
when accelerating the execution of a detected cycle 7, depending mainly on the 
structure of the cycle. That is, for each outgoing edge e; of the cycle’s location 


£, where e; ¢ Er, the algorithm computes a final state. So that if there are k 
control locations of the cycle 7 that have more than one outgoing edge then the 
algorithm computes k final states. 

It is interesting to note also that the algorithm uses the activity abstraction 
when searching for a fixed-point of visited cycles. The activity abstraction ignores 
clocks that are inactive at some point during the exploration. A clock is active 
within a cycle m if its value at some location of the cycle may influence the 
future evolution of the cycle. This can happen either when the clock appears in 
the invariant condition of some location of the cycle, it is tested in the condition 
of some of the edges of the cycle, or an active clock takes its value when moving 
through an edge of the cycle. We write s.Z to refer to the set of clock constraints 
involving active clocks at state s. 


Theorem 3. Algorithm [O] computes a sound estimation of WCET of PTAs. 


To compute the WCET of a cyclic PTA, Algorithm [I] requires that each 
reachable cycle is repeated until the probability that results from successive 
executions of the cycle converges to zero. Since there is actually no end (it is 
not possible, theoretically, to reach zero), Algorithm[I]uses an arbitrary stopping 
point A, which is chosen in a way such that any errors accumulated across several 
cycles are minimized and so that zero can be effectively reached. This ensures 
the sound estimation of whole automaton WCET. 


5 Implementation 


In this section we briefly summarise our prototype implementation of the model 
checking algorithms given in Section [4] It is important to note that the goal of 
our implementation is to validate the presented algorithms, rather than to devise 
an efficient implementation; this will be the subject of our future work. 

The prototype implementation has been developed using the opaal tool [6] 
which has been designed to rapidly prototype new model checking algorithms. 
The opaal tool is implemented in Python and is a standalone model checking 
engine. We use the open source UPPAAL DBM library for the internal symbolic 
representation of time zones in the algorithms. 

We consider here one example of 
cyclic PTA (see Fig. [5), but we ver- pa os=e x:=0 p 
ify it under four different settings: (a) 
when p = 0.001 and c = 1, (b) when 
p = 0.001 and c = 10°, (c) when 
p = 0.999 and c = 1, and (d) when 
p = 0.999 and c = 10°. It is easy to 
see that the WCET of the automa- 
ton under these four settings will be Fig. 5. Demonstrating example 
different, as the number of times the 
cycle will be repeated and the time that can elapse at each iteration will be 
different. For this example, we set A = 107°. It is easy to see that the cycle in 


the given automaton has constant delays as the active clock of the cycle (clock 
x) is reset each time the cycle is executed and hence after two iterations the 
search will reach a fixed-point at location Start. The synthesized delay formula 
In(A) 
In(p) ` 
The WCET as computed by the algorithm for the four cases is as follows: (a) 
WCET = 1.001, (b) WCET = 1001001.001, (c) WCET = 1000, and (d) WCET 
= 10°. For cases (a) and (b) the cycle needs to be repeated only two times, 
while for cases (c) and (d) the cycle needs to be repeated about 13808 times. 
However, the algorithm collapsed the iterations of the cycle and hence it avoided 
the explicit repeated exploration of the cycle. The algorithm returned an answer 
for each case almost instantly. Note that there is no available implementation 
for the algorithms presented in [10J9], and hence we were not able to report any 
result about their performance in presence of cycles. However, the algorithms in 
[09] are not optimized to check WCET of PTAs (specially those which contain 
cycles that can be repeated very often due to high probabilities.) 


for computing WCET of the cycle will be 6, = 0;_,(p' * c), where n = 


Nested Cycles and Intersecting cycles 


Algorithm [i] can handle only cyclic PTAs that satisfies the flatness assumption, 
wherein each location can be part of at most one cycle. Hence, nested cycles 
and intersecting cycles (i.e. two or more cycles which have at least one control 
location in common) cannot be handled using Algorithm[I] The presence of such 
classes of cycles complicates the formal verification of expected WCET of PTAs. 
In particular, if there is a nested cycle in the automaton, then if some inner 
cycle is detected and then collapsed, the adjustment of the weights performed 
(as detailed in section 3) (along with the addition of the visited states to the 
PASSED list in the algorithm) would impact the ability to accurately collapse 
an “outer cycle” with arcs composed in part of the inner cycle. Furthermore, 
the order at which intersecting cycles are executed can affect the outcome of 
the WCET analysis, depending on the way the probabilistic choices at common 
control location are resolved. In future work, we aim to extend the algorithm to 
handle complex forms of cycles including nested cycles and intersecting cycles. 


6 Conclusion and Future Work 


We have described a model checking algorithm which can be applied to verify 
expected WCET of probabilistic timed systems with cyclic behavior. Indeed, 
the presence of cycles that can be repeated a very high number of times in 
the input timed probabilistic model can degrade the performance of the model 
checking algorithm. However, we have shown that it is possible to accelerate the 
execution of probabilistic timed cycles without adversely affecting the outcome of 
the analysis. In a future work, we aim to reconsider the problem while allowing 
non-deterministic choices between edges, where the precise complexity of the 
expected WCET problem for cyclic PTAs with non-determinism is still open. 
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